tv Annual Homeland Security Law Conference CSPAN September 27, 2017 8:00pm-9:26pm EDT
welcome to our conversation with facebook titled security versus security. i'm dean of the langston school university. and the head of counterterrorism at facebook. we were here last friday. there was a movie release called friend request. so we're here to do a review of that movie. because no news has broken since then in monica's orbit. when monica agreed or started thinking about it, our main focus was going to be on why when i post pictures no one ever says like or comments. but since then we've had a lot of things develop. so we're going to get right into it. we will address some of the news of the day but i want to do that at the end because i want to make sure we spend a lot of time at the beginning talking about some of the really great
incredible things that monica and facebook are doing in the counterterrorism space, which is the goal of this conference is to talk about those issues, particularly as it relates to different legal issues. so the frame that we wanted to lay out here is so often -- i know many of you have likely been to panels in which it's titled security verses liberty, right? security verses privacy. and it's my view, i know shared by many others is that's sometimes an inappropriate lens by which to view this debate and i would submit it is sometime as poor frame work for two reasons. one, it implies sort of a mutually exclusive balance that in our football, our sports culture, that one has to be winning or losing.
and that sets you up for the complicated things. i think we'll highlight that there are a lot of things industry is doing whether from a encryption standpoint, work in the security space that's equally important to what law enforcement might be doing to fulfill their obligations. by referring to it as some balance between privacy and liberty t can throw off the values of what our great american companies are doing in the space and second is there are some really important things facebook is doing to preserve free speech and we heard our first panel talk about that and there's really complicated issues around that. wanted to start with that lens because of time i won't -- and you have monica's bio but really incredible career both in public and private service. federal prosecutor.
worked in thailand. where else? >> chicago, d.c. as a prosecutor. >> a lot of places. came over in 2012 to lead facebook's efforts in this phase and is a real leader. so it's griet have her here. so without anymore intro from me because you want to hear from monica. let's talk about your title, head of product terrorism and policy. i think that's an industry first. >> it is. >> they said what? facebook has a what? tell us how it came to be and what you do on a day lae basis. >> i've been the head of our product policies are more than four years at facebook and that entails over seeing our content standards, what people can advertise, how they can advertise and how they can target it, basically anything relating to how people can use our products. but about a year 1/2 ago when we
were really trying to double down on terrorist content, propaganda and terrorists attempting to use social media. we felt as a company we needed one leader of those efforts because what you have are engineers working on technical tools and reviewers who have to be specialists recognizing terror propaganda. you have lawyers dealing with government requests and former law enforcement agents in the wake of an attack interacting with law enforcement. it wasn't a unified team. i became really interested in it and asked if i could do both and i now am leading both of those. so counterterrorism separately. >> so security versus security. talk to us at the outset facebook's mission to make a world more open and connected
and protect freedom of expression and privacy. how do you address or look at those issues? >> sometimes those issues are intention as i'm sure has been discussed today and sometimes they're not intention. we certainly see -- facebook was created to connect people and our ceo, mark zuckerberg, has talked about the value in bringing people together and trying to establish communities. part of that means we have to make sure we're protecting speech and the ability for people to express themselves how they want to and connect very freely with one another. some of that will only happen if you have privacy. at the same time we know people won't come to facebook if they don't feel safe. so for us to achieve the mission of bringing people to a place where they're going to speak openly with one another, you have to have both and privacy, means, the ability to control
who sees your content and when. it also means facebook adhering to privacy laws, which are different in different parts of the world and making sure we're only providing data, whether it's organic content or ads. security means making sure we don't have our site used for things like planning terror attacks or exploiting children and there's many other things that privacy and security bring to mind but those are areas where there is no tension. we can really strive to have both and those areas work together and finally mention encryption. encryption is something that we use in a variety of different ways at facebook. it does not mean that we won't do our part to respond to valled legal process or law enforcement
request. for instance if there's a crime or in the wake of a terror attack. we can and do provide data to law enforcement. there are reasons that also protects security. whether it's protecting health information or sensitive financial information or sensitive government information. so it's privacy and security. >> i want to circle back on some of those points you made but i want to drill down in a little bit more detail about some of the more specific effort you are all are focussed on utilizing
human moderator. how you utalize both of those and balance that in furthering your interest. >> the policy is hate speech, personal information, intellectual property misuse, the list goes on. when we enforce those policies, we use a mix of human viewers and automation. or different types of technology. sometimes artificial intelligence, sometimes rudementry. there's always a mix. and i'll give an example of where this works really well and an example of where it doesn't. if you think about terror propaganda or a child
exploitation, child pornography, often this is image based. >> there are no images. because that's technology that just martches an uploaded image to an image we already know about. and we can auto report it to the nationm center for missing and exploited children and it never misses the site. no one at facebook even has to see it. that can be a very good use of technology. thinking about hate speech. our policies around hate speech, which by the way are increasingly nuanced and have to be applied to more than 2 billion peoples' posts from around the world with more than 80% of people on facebook from outside the united states. so a lot of different cultures,
languages, ideas of what's okay to share. our hate speech policy is aimed to remove any attack against a person or a group of people based on that person's protective characteristics, such as race, gender, gender identity and so forth. there are many ways you can use words that could be an attack and use them in a way that is not attacking anybody. you could say this morning on the subway somebody called me "x." or i think we need have a conversation in our society about the word "x" and how we can take it back from negative use. so we would want to take that word down if it's used as an attack but leave it up if it's used in the context i just mentioned. that's where automation has a much harder time. you can use machine learning -- i love throwing these terms round like i'm an engineer.
i'm repeating what i've heard from the engineers. you can take a whole lot of data about good uses of this word and bad uses of this word and you feed it through this machine and the machine every time it looks at the data learns for umthat and get better at sorting. and after a while you can use that classifier to look at content and say this is likely good, this is likely bad. maybe we send that to our human reviewers and they can look at it but we can cue up for them the stuff we think is likely good or bad but that's a much harder job for technology. and so right now when it comes to a lot of our policies, especially things like bully, harassment and hate speech, the context really matters and human review is very important. >> to that point, as of now you had about a 4500 member team of
folks working on that and you've made a dmiemnt increase that to 7500, is that right? >> that's right and to explain what that is. i get a little -- sometimes people will call our reviewers moderators which i think gives the impression these people are looking at everything posted on facebook. that's not the case. the way that our process works is anytime you see something on facebook that you think shouldn't be there, you can report it to us, whether it's a photo, a post, somebody's page, an ad, a profile. you can report any of that and if you do, it's reviewed, sometimes using automation to help classify things. but often it goes right to a human reviewer and these are people who sit around the world in different locations.
they're reviewing content seven day as week in dozens of languages and their job is to decide whether or not the content that has been reported or that our automative systems have flagged for review, whether that content violates our policies or not. if it does, take it down, in either case they send a message to the person who reported the content. here's our decision. that team sat at a round 4,000 a year ago and we have now ramped that up by adding another 3,000 people. >> to put context on it, facebook has about 21,000 employees. there's 2 billion facebook users. so that's a lot of coverage if people were expecting sort of a one for one review. >> i should also be clear.
if a piece of content is reported to us, we will review it, using a combination of automation, often using human review but if a content is reported 500 times, we do not review the content 500 times. we will review it a couple of times and if it does not violate, it doesn't and we'll put a profectitection on it so don't continue to review it. but things like i like this sports team and my team won and you're angry about it. that sort of post gets reported a lot. so we'll review that a couple times, not 500 times. >> i do that quite a bit. can you talk about the standards these reviewers are using to analyze this. i know there's a lot of criticism about them sometimes and the process. >> so more than 2 billion
people, dozens of languages, most outside the united states. so the guidelines for reviewers have to be really objective. as lawyers we're used to looking at criminal law and you say in any given case there will be a trier of fact who will look at things like intent and whether standards have been met. when you're talking about needing the decision to be the same on a specific piece of content, let's say a photo. whether it's viewed by somebody in the u.s. or india or ireland, you have to get to the same answer, you have to try to take that person's,by bias, subjectivity out of it. so the review guidelines we write are intentionally very, very objective. if you look, for instance at our policies around nudity. in an ideal world, maybe the
standard would be to say if it's sexual nudity, we'll take it down but if it's artistic nudity, we will leave it up. if you sit people in a room, even in this room and show them images and say is this artistic or sexual, people will not agree. so you cannot do that with reviewers. so you end up writing guidance very specific and won't necessarily reach the right result in every case. there's always going to be edge cases where you look at a specific photo and say wow, our policies end up leaving that up? that happens. you will always have edge cases. but there's still a value in having this objective rule. so we write guidance for the reviewers and update it at least every week and sometimes more frequently. if there's something in the public we're responding to, let's say an event and certain graphic imagery, we will make decisions and provide ongoing
guidance to the reviewers. >> so most of facebook members are outside the u.s., correct? >> more than 85%, yes. >> and you're talking about reviewers in every country. you're also faced with a myriad of international laws. talk about how you balance that, some of the challenges you're seeing from an international perspective and how those run against u.s. constitutional for that balance. >> this is a really interesting landscape and a challenging one. we have seen a number of countries either pass new laws or become more rigorous about online speech. and their standards are almost always tighter than u.s. first amendment standards. they restrict more and sometimes go beyond what we restrict.
so you have first amendment protections, then you have the facebook community standards, which is our content standards and those we do take down, like i said hate speech. we define that and remove it, even though it's permiscible under u.s. law. there are other things we remove that are not illegal under u.s. law. above those community standards, you often have laws internationally around hate speech or sharing of terror propaganda where it's actually criminal speech and an example of a law we've seen recently is the german gd law that requires social media companies to delete from their services within 24 hours any manifestly illegal content and there's a list of german laws that we, as a
company areinal forced on our site. it draws into attention the goal of having borderless community, meaning our friends around the world can see the same thing verses a more balconized set of standards where you're satisfying different cultures, maybe even individuals. within a country. so you can have that more volconized system or this uniform global system. but you really can't have both. weevl we've been trying to walk that line for years at facebook by saying we're go having to one set of community standards. if a government tells us about a piece of content and say this is illegal, even though it doesn't violate your standards.
we will have our legal team review it and see if it's consistent with our laws. and whether or not we should comply with it. if we ultimately -- and there's a whole lot of factors that would go into that, including is this political speech against the government? how many people do we think would be effective. we do it only in that country and we publish that fact in the government request report. so that's a way we're trying to straddle the line but it's getting harder if you look at our government request report you'll see increasing requested from a number of countries. so it's getting difficult to straddle that line between a global community and maker sure we're complying with the law we need to.
i want to shift back to domestic law enforcement and your work there with government. i think post san bernardino and the events that happened there. we saw a ramping up of this government versus industry in some ways. i'd like you to talk about your partnership, your work with law enforcement. because you do a lot in this space. >> we do. >> to really make an effort to be a good citizen and comply. so talk about those efforts and what you've done to ramp that up or how you balance it. >> there's two primary ways we interact with law enforcement. the first is if we get a request. if we get valid legal process and when we will proactively provide to law enforcement. we have a mechanism through which law enforcement can request user data if they
provide the appropriate legal process for their country. there are restrictions around what we can provide and under our terms, we only provide this user data when compelled to. so something that is requesting user content from a country outside the united states, often the appropriate avenue would be through the mutual legal assistance treaty process. so they can go through this portal. sometimes they might have to go for content, they might have to actually go through u.s. authorities to get that content from us. we have a team that responds to those requests. and that channel is much like our content review, manned 24 hours a day. partly that's because we sometimes get emergency requests. so if there is a terror attack or something that is a crisis, there's missing person or
somebody in danger or law if forcement submitts something to us, we know we need to respond right away and it's always manned and literally a box to check if it's emergency legal process and the law enforcement officials can explain why it's an emergency and we'll respond right away. sometimes we will become aware of an imminent threat of harm on facebook, even though we haven't received legal process. for example somebody planning a terror attack, we can and do proactively refer to law enforcement authorities. >> any rth eer -- other comment or thoughts on why in the end encryption, i know you don't have that at facebook, but why that's so critical in protecting privacy in your users.
>> i think -- hopefully people in this room have some idea of incription and why it's important for protecting people's privacies. we hear about hacks all the time. but i guess what i hope will happen in the near future is that as people continue to discuss encryption, they'll become more knowledgeable about the different types and values and costs. because it's not as simple as an encryption is always good and there's no cost to it and it's not as simple as saying any use of end to end encryption is bad for security, for the reasons i mentioned earlier. these are really nuanced topics and the thing i think we can all do as people who work in this field is get the word out there that there are really different types and uses of incription and there are pros and cons, especially end to end encryption
with national security. >> facebook's been the subject of a commander and chief tweet this morning about the situation going on relative to news and the accuracy of news out there and propaganda and the influence of foreign powers in our election and last thursday, mark zuckerberg came out and released a video in which he highlighted nine steps that facebook was taking after releasing to both robert mueller and congress the 9,000 ads that were purchased -- >> 3,000. >> sorry. 3,000 ads purchased by russian-lirngrussian russian-linked entities. so lay out, to the extent you can, your efforts in this space.
>> sure and as josh just mentioned, our founder did post about this last thursday. something that's a pretty short video to watch but something i think you might find -- >> i would encourage you all to go watch it. >> i think what you'll come away with is we do, as a company, take this really seriously. we want facebook to be a place where there's political discourse, where candidates are free to discuss their views and their ideas and where people can challenge that and really engage in the sort of speech you should have around any election. we don't want our service to be exploited by people who are trying to manipulate it and that's why we did this initial investigation, which we undertook on our own to undercover any abuse of our service during the election. it's why we wrote a post back in
april, our chief security officer put a post up about disinformation on facebook where he talked about the efforts we were undertaking to try and identify any abuse of the platform for the 2016 election and other elections and now we've come out and said here's what we found and i want to be clear. we're still looking. and mark said that in his video. we're going to keep looking at what has happened in the past and going forward. what are we doing? a cupople of the things he mark mentioned. we are cooperating with governmental authorities and that does mean disclosing the ads to special counsel and with the congressional inquiry. it also means we're going to focus on transparency in our ads and i don't know if you've ever run ads on facebook. but ads on facebook are most
often run from pages. so you create a facebook page. your page is about your bakery and from your page, you can run ads on facebook where you don't necessarily link back to your page, but you can. what we're going to start moving towards is improving our transparency so when you see an ad on facebook, you can see who's behind that ad, you can see that page and then go thopage and see the other ads that page is running. that's part of it and we're looking at ways to be more transparent there. we're also ramping up our engagement so we can understand the issues of what they might encounter and get ahead of the problem. and finally like you mentioned with our reviewers we have specialists at facebook who are working on election integrity and we have committed to
doubling that number and hiring several hundred new people on to those teams that we can make sure we're doing everything we can to prevent any abuse of our platform around elections. >> can you talk a little bit about the actual process to purchase ads and how that works. >> sure. we have millions of advertisers and most are self service, meaning most of you today can set up a page and say i want to promote this poster. of course we do have checks in place on payments to make sure we're compliant with all relevant laws. but you submit your payment information and pick to whom you'd like to target your ad. submit the creative and that ad, it goes live. it is reviewed before it goes
live with a combination of automated systems and some manual review, for instance if you tried to upload an ad using the word cocaine, that's something that is going to trigger some review. but by and large the way they work on social media is they're dynamic. so a lot of this is self service. these are very small advertiser, small businesses and that's an important landscape to understand and for us to protect. so when it comes to political ads which will be the subject of the increased transparency efforts i was mentioning earlier, anyone can run a political ad. but we want to make sure we're being transparent. >> so in addition this might be our last one.
secretary chur dauf mentioned this morning we need to get at preventing the impersonation, the fake question. how do we deal with that authentication side, so not just transparency and laying out who folks are, but how do we authenticate they are who they say they are? >> we should think about from a facebook lens and then from a broader lens. it's unique in that we require people to use their real names. that means if you use mickey mouse for your name, we will try and detect that and if it's are eported to us, we'll look to see if that's your real name. we may ask for identification and if we determine the account's fake, we will just remove it, even if the content on the profile is completely
fine, we will remove it just for being fake. the ads that we've been talking about the reason we remove those was because they were coming from inauthentic accounts. that's a real powerful tool for us is requiring authentticity. it's pretty rare. so as we think as a is to, as a country about how to make sure we're protecting the integrity of conversation around elections, that's something i think we'll have to talk about. i think it's going to take a while to figure out and we'd invite you to come back next year and give us progress on where your are aat. so please join me in thanking her.
i'm going to let ken introduce our special guest but i do want to express our thanks to tom becauseert for taking to time to jien us today. we've had a very good conversation so far and you will surtdenly be contributing to that. and you're literally in the eye of several storms at the moment. and so we really do appreciate it. i will leave you in moderately good hands. i think you and i have both had the experience of having to work for him and i will tell you i survived. it took 12 steps to recover and i suspengt you'll probably have an easier time. but let me turn it over to ken to introduce our special guest. thank you. >> afternoon, everybody. it's great to be here and i did have the dubious distinction of
trying to manage steve, which is a bit of a misnomer actually. but it's a treat to be here with steve and a number of my old colleagues. but a particular treat and pleasure and honor to be here with my friend and colleague, tom bossert. he has deep experience in the homeland security area, dating back. i got to know him in 2008, i believe it was when i came on as homeland security advisor, the job he has now. i came in as a guy who knew something about law enforcement and counterterrorism intelligence operations. had no idea what the stafford act was or resiliency and i looked around the homeland security counsel who i felt would be particularly helpful and could help me get up to speed on these things and tom was the first person i looked to and tom ultimately partway
through my tenure became the deputy. it would be an understatement to say i relied on him. so it's been a particular pleasure and for me to see tom, ascend to this position and do the fantastic job we've done so far. let me echo steve's thanks for being here, given the few things he on your plate right now. it's a plate that's always full. it's full of very diverse things, as i eluded to, everything from law enforcement to pandemic flu to natural disasters. but that's made particularly more difficult and complicated in hurricane season, especially when you have one like this, which is almost unprecedented in terms of the relentlessness of the hurricanes that have been hitting us. so thanks to tom for being here. so what i think we'll do is tee up some topics for you, tom.
>> thank you. i'm still in the denial stage of my 12-step recovery. just a few introductory remarks. first, thank you very much for having me here. it's not your honor, it's mine to be here to speak to this group and recognizing a lot of you here have taught me what it is i think i know, i'll be very respectful of giving you my thoughts and opinions, knowing you'll probably still know more than me and continue to but maybe a few light hearted remarks. monica does a great job and i want to state here and now for the record on behalf of the administration that what they do to take terrorism related information off the open internet is breath taking, remarkable and kudose to them and the other social media sites that have led in this space. monica and i took a picture intentionally of ourselves in front of a bar named isis.
and we jokingly said we should post this and see if your algurhythm can take the isis material off the internet. wevent tested it yet but i believe they could take it off and monica's examinations could bear later for a lot of accolades. thanks for having me here. our guest panel, thank you for listening to me and forgive me if i ramble it's been a bit of a tiring week. >> did you end up going the to the bar? >> no. >> so both you and she could probably use a drink? >> we could but we did not. one other anecdote for those of you that follow this. yesterday was the 70th anniversary of the national security counsel. today we commemorated that inside the building with all hands, 250 person h.r. mcmaster and i kind of led the
conversation, a walk down history lane and it struck me that the national security counsel and the staff structure has evolved quite a bit since its formation but it's pretty interesting to note that since 2001 it has made more changes in the last 16 years than its collective prior 60 or 55. it now includes hurricanes, cyber threats, terrorism and it's really an inspiration to watch that team and happy 70th anniversary to the national security counsel. let's start with something in the heart of your responsibilities. the nfl. >> i prefer to stand. >> there you go. amen. so let's go straight to hurricanes.
its response nlts have changed dramatically, nowhere as much as the natural disaster response recovery effort, so if you would, given your deep experience, dating back to katrina and hurricanes. if you had give us an idea of the particular challenges that have been presented to you all by each of these hurricanes and each one has been different. >> for some reason even with an eight-year break, i have been in a management responsible role for every major hurricane since 2003 to hit the states. it made me qualified to handle
the response. it's an unprecedented storm season but by and large an unprecedented and unified effort in terms of response. we have a long road to go. our path, not with puerto rico, so i don't want to do a victory lap. and the fact we've done it back to back to back and with the insular territorial island challenge and then two states at the same time, i couldn't be any prouder. so maybe the bigger observational answer is this. the nsc structure has always been staff organized around regions and when you and i have look at the lihistory we see a asia desk or middle east desk and those regional governments tend to pose the biggest national security threat. and after 9/11, we realized we needed a functional organizational model and the
concept ended up with a counterterrorism director and a cyber security director and a resilience now director. but they move across any area or region of the globe. so they now include as well this all hazards concept where a number of things can be large and consequential enough that they literally threaten the national security and so the big challenge for me in the white house, instead of getting into the operations of fema is to contain the effects from going into a spiral from loctoal to regional to national. and we came really close to losing that handle. the regional problem of power outages almost led to the loss of the two big pipe loons that supply the east coast and that cascaded into an international supply and demand model.
so you try to contain first and make sure there's a competent coordinated federal government effort underway to support the state and the traction i've gotten on just repeating the basics is reassuring. bless you. the idea of supporting the governor and not doing the governor's job is paramount for me to stress and we have now had governor abbott, scott who have done a bang up job. but now we've got two governors that could have easily folded from the pressure and they didn't. so i flew down to see him monday. he's showing every leadership instinct out of a big state governor and he's on a small island fairly remote and removed. and he's marshaling the resources of 12 navy ships and all the aircraft support you'd
expect a three-star general to marshal. and he's doing it effortlessly and the same for the governor of puerto rico and he's dealing with problems that are unique. i'll tell you what we've done with puerto rico. we haven't lost control but we've adjusted our business model. not because they're incompetent. they're not. and not because they lack skill or leadership quality but because they've lost capacity. so if it you look that energy restoration workers that live there, and the emergency staff, 80% of them have lost their homes or in some ways their families have but they've nevertheless suffered. so they're augmenting the capacity. we help them pull resources and helping push them the way we traditionally do it. that's something we learned after katrina and i know you
experienced that. we're doing well. the governors are doing well. the puerto rico people are showing the same resilience and compassion we saw the people of texas show and i think that's a real testament. and maybe one defensive point. i saw people were criticizing the administration for not waving the jones act. so i'll get technical on you. the particular law that prohibits nonu.s. flag vessels from moving between domestic ports. whether you agree with the merits of that law, it's been in place for a long time and we often wave it when we need excess cutapacity to allow foren flag vessels to bring needed commodities, usually oil into the effected area. we did it in texas and particular with florida because the entire peninsula requires shipping by ship. it doesn't have a pipeline structure like the rest of the east coast. we did not do it for puerto rico and there are people asserting
for political purposes we're doing something different and therefore less supportive of the puerto rico people. not true. i'll stand by this decision every day. the problem is requirement. we have plenty of u.s. flag vessels and plenty of capacity to exceed the requirement. you only wave what is in your way. the problem is wunls you got the refined product to the island, you have to distribute it. but it has not been getting the product to the ilened. the message is we have american supplies being shipped to help american citizens and puerto rican citizens are american citizens. this is a good news story. >> okay. fair enough. why don't you take a couple minutes if you would and give people the sense of the role and
the life cycle of a disaster. i'm not sure people really understand the sen centrality of the role. >> counterterrorism, which global concern or cyber, which is a transnational or global concern. in the domestic context, it's not just domestic. we had an earthquake that hit while we inner in ugna. and i was doing meetings and there was a hurricane. you balance this. and there has been some evolution in the last 70 years. but the idea of the national security council staff, and we're all staff. the president has been elected. he's got authorities. the cabinet has authorities and money. the rest of us support this effort. the idea for success to kind of get over this policy making hill. so we articulate options for the president. and make recommendations for the president. two different things. they have to be feasible options. and they have to be well informed recommendations. and we have to coordinate the
cabinet and all their support staff with all their expertise. and then we have to help the president once he makes a decision on the other side of the hill track implementation. and that's where you can get into trouble. tracking implementation and staying on top of it can be done properly, and we can have a sustainable number of meetings and have metrics of trust or have metrics of distrust and micromanagement and meet too often and irresponsibly and get in the way of their implementation schedules and hold them accountable in a way that ends up holding the reins too tightly and putting us in charge of operations. every once in a while you have a staffer that decides they can actually direct operations out of the white house. when they get away with it, it's just annoying and that 12,000 mile screwdriver we talked about. when we do it, there is no authority to support or worse, we end up with our allegations and so forth. the trick is to coordinate my level. i coordinate the cabinet.
my deputy's level, the deputy secretaries. and below that, the assistant secretaries or under secretaries. and you coordinate them and note all their positions and faithfully serve your role as coordinator, then you're doing the president a service. you f you wait until the last moment to explain to the president, and i can tell you that ken wainstein excelled at this. often presidents get, i don't know, a little cranky, right? i've worked for two that are impatient at times because of the demands of their schedule. and they want to know what should i do, what's your opinion? and ken was pretty good. and he taught me this. really good. don't tell the president what he wants to hear. don't engage in confirmation bias. and most importantly, start by telling the president the opinions of his cabinet members. otherwise they're going to resent you for being there close to all the time and it breeds all sorts of contempt and it's bad. your secretary of defense believes you should go straight
ahead and your other three secretaries think you should turn right or maybe sit still for a little while. and at the on the other hand of that, you know, sometimes frustrating process, he'll say gray, what do you think? and only then is it appropriate for i or general mcmaster, general kelly to give the president our personal views that will generally sum up what we do for a living. but there is a whole lot that goes into it. and i learned today that two staffers in the early creation of the national security council staff actually worked to death. >> they worked to death? >> they worked to death. so i'm sure there was some other causality for those approximate cause analyzers out there. but there were two people that actually worked so hard that they died in the job. and i can tell you that the staff work 18 hours a day, and they can't afford to make a mistake. one of the young staff came up to me and said we're sharing stories. he said i on my first day had an opportunity to go in and brief the president. i didn't know where i was or what was going on there a s a long story to it.
and i ulterred a sentence. thinking it was innocuous. and ten seconds later the president was on the phone with putin uttering that sentence. i said you have to realize the power you have around here and be careful not to say things that are glib or wrong or not fact-checked. so it's a high stress environment. and you have to constantly be on top of what you're thinking and doing because it's a great honor. it's what we do. >> i can see the next all-hands meeting tom has. i know you guys have tough work conditions, but you're not working yourselves to death. >> that's right. yeah. >> back in the old days, they worked themselves to death. >> at least one of you. >> so look, at the risk of being to inside baseball edition, too geeky, but i can't help it. i'm a geek. we talked about the changes to the national security council. we had the nsc. the president bush and then congress established the homeland security council. you had homeland security
adviser, now security adviser. and president obama game in and commissioned john brennan to do a review of the structure, make a recommendation. they recommended folding the two basically into each other. homeland security adviser teamed up with the national security adviser. and this administration has made some tweaks to that. that is sort of going through the history. how do you think it is playing out now? because obviously there are a number of different concerns at play. one is there is a whole constituency of -- that is sort of the homeland security consistency that came the fore after katrina, and that we hear from. and there is always been a concern registered by them that maybe homeland security concerns, as sort of generally understood, might be subordinated to national security concerns, the more traditional ones. how do you think it's playing out? do you think it's a real concern? >> no, it's a real concern. it's a good question. i can give you a short answer. we went from too hot, to too cold to just right. where we are now i believe is just right. i believe that in my heart. too hot meaning we had a
separate staff coordinating the same cabinet by and large. we were constantly functional here and regional here for the most part in some form of separate cooperation. it was frustrating at the staff level. am i the only person that held every job? the director, senior director, the staff, deputy assistant and then ap, which is kind of the triple in the cycle if you will. so what the obama team did i think understandably and rightly was to combine the two staff structures into one unified staff support model. but what they chose to do is take the position you and i held, or you held before and subordinate to it a degree. but they played a little bit of a trick there they had john brennan and lisa monaco i think this year be a deputy to the national security adviser, but retain the same rank title and open door access to the president so as to avoid the concern that counterterrorism would take a back seat to let's say peace this the middle east. and so other people have opined
that that was the case. i think you can just as easily attribute any policy decisions that were made in the last eight years to the president's preferences and not the organizational structure he adopted. but personals make a difference, and work structures do sometimes matter. what president trump decided to do, i think wisely, and i spent quite a bit of time talking to him about this in transition was to take my current position and reelevate it to the position you held and that townsend held before you. and at some degree tom ridge and general gordon. so what we've got is a matrixized combined hsc-nsc staff under the name of the national security council staff now, which is good. and it's got that historic, honorable name and position. but it's led by two people. now h.r. mcmaster, the national security adviser, takes a special role and prominence here. and if there is any particular disagreement between he and i, especially if there is an international flavor or component to it, i'll awn see
his judgment as he sees the world and the interaction as. but generally not. the president wants to know my view and his. and generally, he and i speak pretty much the same language, and we're able the take different positions without being argumentative in any way. what's neat about that is this matrix staff has a place to go. so if you end up feeling like maybe my point of view will be dismissed routinely because one of the two principles tends to not agree with my point of view, well, you've got two principles. and for the most part now, president trump has become very comfortable with that. in the very beginning, just like president bush we had to constantly remind me, sir, i don't handle north korea. and hr says i don't handle cyberand hurricanes. so once he got that in the first couple of weeks, i think we demonstrated that this is the just right model. i'd advocate it for the future, but personalities can dictate that. >> all right. you just mentioned cyber. and you are, i think, by all accounts, claim to be an expert in cyber matters.
you've been working with them for years. i remember you banging that drum with me when i first came in, the need to be a little bit more aggressive against the cyberthreat. >> yep. >> i know you worked on cybermatters quite a bit in your eight years outside. just give me sort of an open ended question. where do you see the state of cybersecurity? obviously the government is not the only player here by any means. but in terms of where the government is going and what plans you might have for firming up cybersecurity going forth. >> the easy part of that question is how do i see the cyberthreat? i see it as a trend line going in the wrong direction in a big-time way. it is a shared responsibility between government, private actors. international and domestic. and individual accountability, which sometimes gets lost in this conversation. but the trend line on cyberthreats is going in the wrong direction. and the capabilities of the bad guys at this point are
matriculating out into what we would have considered before a smaller or lesser threat. there is no such thing anymore. we've got very advanced cyberadversaries that would be operating in what would be very small countries or non-nation state criminal organizations. these are things i think you already know. we've talked about this quite a bit. there is a six or seven pages worth of dozens and dozens of recommendations i think you'll see coming from us, the administration in the form of upcoming strategy, in the form of a nist framework update and there are a number of things you'll see us do. but at the strategic level -- let me see if i can answer the second part of your question. i think it's time, and i think this president will lead in this fashion, to articulate a better and different vision. so instead of putting forth a strategy that simply knits together our current capabilities in a way that address the problem, i think it's time for us to start having a conversation as a country about what it is we can tolerate our government doing. because our government needs to
be more involved, i think, and i believe the president believes in protecting a broader set of national interests. we've got certain critical infrastructures that are so critical to the functioning and survival of our country and its economy that we have to do more to protect them from foreign adversaries online. and i think it's also probably a time for us now to concede that there is a low level, low intensity constant conflict going on online at this point every day there is no way around that there is no clear malefactor. there are thousands of malefactors all with their own interests. at this point we have to take the rhetoric of increased defenses and elaborate. increased defense is going to impose a cost on the bad guy, on the malefactor in this case, whether he is a criminal or nation state actor. but it's also going to do something a little bit different. it's going to impose costs. and that serves as a deterrent.
but it's going to protect news a baseline way that doesn't make us the most vulnerable country on earth. right now this country, the united states is great for a lot of reasons. and one of them is we invented the internet, and we used it to great purpose. and we've created lots of different conveniences for ourselves. but in so doing we've also put ourselves in a vulnerable position that i think dictates and requires that we act a little bit more together. and maybe i can articulate to this audience something that i kind of hold in my world view. and i say that because you're mostly lawyers, i think. the idea here is that the analogies to war manual for those that federal good. i'll come back to that. but from my perspective, we've lost a little bit of the civil liability calculus here there is a property analysis here. at this point, we've talked about it as a crime or an act of war. but remember, too, that we've got the ability to exclude others from using our property. not just the right to use our property or transfer without
third party intervention. this is a fundamental part of the bundle of property rights that lead to capitalism itself. i think that ability to trade and use property as we deem fit without hurting those around us and excluding others from using it is a useful way of thinking about the role of government. we never in this country object to civil courts enforcing contracts and promises between two businessmen or women. we never think of that as get out of our lives, government. in other words, we've intentionally designed our government to separate it from religion. but we've intentionally designed our government structures to support our socio-economic preference of capitalism. because of that, i think we should recognize it and embrace it. and in lots of ways, rely on our government. i went to israel and announced our first u.s. bilateral cybersecurity agreement with the israelis. and in their country, if there is a cyberhack, almost every one of their citizens says immediately well, where is the government? it's a fundamentally different
point of view. they have a trust and a different view of their government's role in protecting them. i've now been out on the record calling what they do a virtual iron dome, if you will there is a lot of benefit there. but they've got a small country and the capacity to do that. we can't, even if we wanted to, and i don't advocate it, protect every network and system inside our country. but i think we can take some lessons from what the israelis have done. and i think the british have led the way on this. they've tailored that approach with their needs and their sensibilities of privacy, and they extended some government-led defensive measures to those very critical components of their society that require some extra defenses in the name of national security. i think that we should contemplating doing the same. so that's half of the deterrence model. we've had an executive order that president trump put thought the beginning of his tenure to also concede that we have to practice what we preach and start at home. and i'll preach this to each of you. i'll come back to personal
accountability. protect your own systems. and if you're running a company, protect your company systems instead of worrying about what everybody else is doing. often i see people that are cyberexperts preaching what everyone else should do, and they're sitting on top of poorly secured networks and bad systems and antiquated software. hardware because they don't want to put the money and time in patching and updating. and that's the kind of hypocrisy that doesn't set right with me. and so we started here with the federal government and decided that we needed to improve the security of the federal networks. and that's an effort that is under way right now. and it started with a very clear minded, clear-eyed call that we need to stop supporting antiquated technology and immediately begin the procurement process reform of buying shared services and getting on with the fact that you can't replicate an adequate security model in every department and agency given the budget constraints and the jurisdictions and the expertise that we have resident in 190 difficult federal departments and agencies. and so president trump put out pretty aggressive executive order that says from this point
forward, shared service, cloud service, shared security services and modernize the i.t. networks. i'm really thrilled that people with a lot of business background like jared kushner and others have run that down to the ground and to handle the implementation coordination i talked about that. so we've put that in place. and hopefully we get a little bit better there. just as anecdote, you remember the opm breach. had we had defensible hardware and software, which we did not, we would have been able to prevent that breach. and i think that breach was one of the most costly in terms of the loss of probably a lot of your clearance backgrounds. i know mine and ken's were affected. and then i'll end with where i started in this shared responsibility model. and that's the second part of the three parts of our executive order. that is how are we going to handle the critical infrastructure owners and operators and the way we're going to do it is bolster the fbi's critical role and the
secret service critical role. partnering with our intelligence community when appropriate. but we're going to further narrow what is critical from the list of critical infrastructure. and joe is here. he know how he started with the critical key sources. there were so many numbers in each sector that it became everybody becoming eligible. we've narrowed it down to that very small group of what we call section ninth entities. i think that's where we're going to end up focusing a lot of our initial efforts. and that's it. that's the road map of where i think we're going to end up. what i left out was the other half of the coin on deterrence. so that's the hard part. you can deter with defense. but you can deter by taking a kinetic or a punitive step. in trade practices or sanction. and when that's merited, i think we should reserve the right to act unilaterally. i know we will. i would explore acting in a bilateral way in between now and that great future day when we can have a croup of multilateral
thinkers or shared allies, right. so we've got different ways of referring to it. the gge in the u.n. is a great multilateral body. they've done a lot to get us to a place where we have agreed upon norms in the like-minded. i think that's great. should it be commended. my experience is multilateral organizations aren't very good at enforcing when there is a violation. if you take the u.n. security council as a model, there are always other considerations that tend to prevent a group body from reaching a consensus to punish one of its members. i think what we'll do is reserve the right to act unilaterally in rare cases where punitive measures are necessary, prepare to act bilaterally to assure the public there was some degree of adequate evidence, attribution and proportionality in the force that we use or the sanction that we impose. but we're not quite ready yet. and i think we would never publish our playbook. but i think it's my sense and it's the cabinet's sense that we have to start doing and developing a record of conduct
to examine, as opposed to thinking. otherwise we'll never settle in on a subjective perfect sweet spot. i'm not suggesting that we will dabble or play jazz music in an irresponsible way, so to speak. what i am suggesting that on occasion when it's necessary to smack somebody in nose for doing something that is clearly wrong, that we'll do so. so that's it on cyber. >> just that? >> that would be how i would have briefed you. and i honestly it's probably the first time i've articulated that in public. so i really do respect this group's view on it. i know you've met for the last few days to think through all the thorny legal challenges that a company at a cavalier high level articulation where i'd like us to go. so i would encourage each of you to keep looking at what we're doing. because the number of interlocking laws and like its and considerations and motivations from the private sector tend to create bad and odd, weird unanticipated second
and third tier effects. and that's what we always fear in policy making, that we do something that makes sense and it turns out to be a bad idea. >> that was a great sort of overview in a feast of food for thought on so many different respects. but i guess, let me just follow up on one of the last points you made about international body that would have enforcement teeth to deal with cyberoffenses, especially by other nation states. do you see that as being a real possibility? do you see there being any movement in that direction? i agree with the circumstances. it just seems like the natural sort of way to address this ultimately. >> i know that there are some company, and i agree with a lot of what they say that advocate for this kind of geneva convention type of model. and i know there is -- brad is a friend. and i know that there is some attractiveness to it. but when you look into the implementation and you think about some of our friends and enemies who come out and say with great indignity, i can't
believe you won't share with us all the information and all the data and intelligence that you've used to determine that somebody did something wrong. it's almost galling to see people on how easily they can lie to you with a straight face. so i think what you have to balance is our own national and self-interests with the appealing but problematic notion of group consensus in an international forum. and in the cyberarena, i don't think that it's right for international and kind of consensus-based enforcement right now. but that's the objective. >> okay. let me pivot over to counterterrorism for a minute. we had heard some very interesting insightful remarks from monika earlier today about where things are in terms of counterterrorism effort or the terrorism threat generally. and then also the effort to meet that threat, focused on the fact that isis has a shrinking base now, and that's causing it to change its mode of operations. as to that particular issue,
where do you see isis going? where do you see its threat manifesting itself? and then where do you see the broader areas of threat and how we're trying to meet it both strategically and tactically? >> we are taking quite literally president trump's guidance to annihilate isis from the face of the earth. and i know that sounds maybe shocking. but the idea here is that has two implications. an annihilation strategy quite literally in a military context is the difference between what we have as a country done previously which is to approach them and drive them out of a city, to now surrounding them and killing them. i know that sounds gruesome, but it's absolutely merited. and that is how we've cleared mosul. and i believe that's how our partners approach the strategy with our u.s. military is going to drive isis from raqqah. now that said, we have still a significant land mass of middle east governed by isis so-called physical caliphate.
it's going take some time to continue to operate in a way that shrinks their control over physical space. but the way i see it shifting, monika was here for a good reason. because they're going shift from physical space to virtual space. and we're going to have to accommodate that. and we're going to have to decide where our social sensibilities are in terms of what is and what is not viable online speech, but also from my perspective, i don't think there is any such thing as a first amendment problem here. terrorism speech just flat-out something that should be removed. and generally speaking, a lot of it is so easy that it's not worth the debate. taking the video of a beheading off is easy peasy in my view. we're also going to have the take into account this diaspora account. i've stayed in touch with lisa. some people call it a snowball. you squeeze it tight enough and you see it squirt out there. are going to be isis movers that are resilient. they've demonstrated the same resilience unfortunately as other previous advocacies in our history. and they find east different
places to operator, different safe havens. what we've seen to respond to your first real principle there, they've expanded into -- and this is not meant to be alarmist. but we've got now a terrorist presence both isis as they spread and return home from certain combat operations, but also al qaeda and affiliated groups, boko haram into 18 different nation states that are in various degree of instability or civil unrest or loss of government control. so at this point, i'd say it's a co comparative analysis problem. we were conducting against two groups that we had kind of our hands around so to speak in our view. and i came back into government service and was blown away that we now have terrorists in a significant concentration head across north africa and all throughout the middle east. and now we're tracking quite closely ongoing operations to
take isis fighters out of the philippines. and you're seeing operations in ma where they're fighting block by block. this is a truly alarming trend line of the global jihadi threat. and i think that we've decided to take a constant and applied pressure strategy here. and so this is not too complicated a strategy. but it is an increase in pressure. it's an increase in sustained applied pressure. and instead of just taking out high value target here and there, this administration is pursuing networks and their support. and those how i think we're going to take it back from a spreading lawn into a more controllable and addressable threat. now that said, we can't just win this thing militarilmilitarily. we're going to need the support of other nation states who have to care about their own safety just as much as we do care about their safety, if not more. and they're going to have to
contribute to it instead of just picking up the phone and calling us and say can you give us more help. the americans need schools in brooklyn as much as we need to defeat a terrorist in mosul. that said, though, we're demonstrating some leadership. people weren't sure president trump would be able to do that. i can tell you he knocked it out of the park in unga last week. i was with him for all the meetings. the foreign partners that we engage with, and many were thrilled. we spent time between the president of the united states and small countries in africa and large leaders in europe. and i think it was absolutely masterful stroke. the speech aside, which i thought was good. but the speech got all analysis. what people didn't analyze is the fact he spent the entire week there meeting all day, all night with foreign leaders on real assistance. i think he showed some leadership there. and to get a unanimous vote out of the u.s. security council against and with the same purpose in mind the behaviors of the north koreans i think is also laudable. it's terrorism. but he is demonstrating kind of a consistency that people can
get behind and defeating isis, everybody is on board. so there is more money there is a 68, maybe 70-member coalition because we've added interpol and other members. and it's breathtaking in its collaboration. >> okay. at the risk of getting the hub because of time constraints, we're going to pitch in. >> express thought. >> jointly held pet issue which is 702, which is shorthand for the amendment passed in 2008 and the authority within the faz amendment which allows the intelligence community to surveil non-u.s. persons overseas for counterterrorism and other national security purposes. and all the more important given the situation that you're diagnosing now where you have isis sort of metastasizing and spreading out. and you have a particular need then for surveillance to be
nimble and to be able to move from one target to the next as national security imperatives involve. without having to go back to the fisa court to get an order from the fisa court every time you do that. where do you see the debate right now? where do you see the 702 reauthorization going between now and the end of the year? and what can we do to make sure that it gets passed? >> the administration's position, and i'm very serious with this, is a clean and permanent reauthorization. period. now i'm sitting next to -- and you're looking at the guy that is probably the world's expert on this. so you want later to ask a lot of question, audit his court. you taught me this. you were behind this. you were the voice on the radio of the administration then, and fortunately not tv. but you were -- >> there is a reason i was on radio. >> you were behind the scenes. you were in front of the effort. and quite seriously on behalf of the nation we should be very
thankful to you for getting that modernization put through. now an understandable sunset provision causes that authority to expire at the end of this year. and the authority is for this. this is the layman's translation. it is the authority that allows us to surveil foreign legitimately argued the foreign national security targets, right. foreign ers on foreign land. this is not about surveilling americans. and we're not aloud, in fact prohibited under this authority from targeting a foreigner here in the united states or a u.s. person in the united states or a u.s. person in a foreign land. all those things are prohibited. this is about foreign threats in foreign land. and if you understand it that way and start explaining it to those that are in decision-making cycle, i think you'll help the cause of at least eliminating intentional confusion or conflation between other titles under the fisa law titles 1 and 3 tend to be where
people focus. some of the news of the day tends to focus us there. but this is about simply not just a warrant by warrant situation. this is about a certificate in a way that allows us to use -- actually, back up. not use. the reason this exists is because the united states is very good and led the way in the internet. and now it can't be used against us that a foreign terrorist in a foreign land chooses to u.s. internet provider or u.s. software. just because we're good and they choose to use g mail doesn't mean we should handicap ourselves from being able to surveil that person in a foreign land that is trying to do something bad to us. i believe that the senate will end up demonstrating the leadership to put into place a clean and hopefully permanent reauthorization of the law, and that we then have to go out and educate as many house reps as possible to ameliorate their concerns that we might mistreat unintentionally target americans or mistreat the information that gets unintentionally collected on an american.
and let me just address that very directly. most of you know the wiretap history of this country. and you know that there are practices in place to mitigate the handling of information of innocent third parties. so if you've got a wiretap on a mobster, and the grandmother down the street calls and asks to take the trash out, there are mitigation in place to not record that type of information on that innocent grandmother. we have the same prohibitions and mitigation practices in place for incidentally collecting on a third party american that might be in e-mail communication with a legitimate foreign terrorist, prince, target in foreign planned. so if we can explain that and you can get yourself to the point where you can believe my assertion, i think you will. if you look into it, you can help us educate the lawmakers who have to reauthorize this authority and encourage them not to think about a secondary kind
of requirement where they say you have to get another warrant to search the data you have already collected. go out and do your laurie job of educating those who feel that way to understand we have already collected it lawfully there is no reason to have a separate authority here to make us do what we have already done lawfully a second time. so that's where i assess it. >> okay. >> do you agree? you're the expert. >> i completely agree, ditto on that. so let me just say this. thanks to tom for taking the time for joining us. thank you to all of you for having us. and also, i mean, sincerely thanks to tom for his service. we always thank people for the government service. but there is a cadre of people who are real professionals who step into the toughest jobs that come along in government at sometimes the toughest times. and tom is the example of that. i think we all owe him a debt of gratitude. [ applause ]
>> okay. ask you not to go anywhere. we're going to go straight into our next panel. we're running just a touch behind. you will not regret staying. this is going to be a great group. tom bossert, thank you very much. really appreciate it. ken, thank you very much. great job, guys. tomorrow morning here on c-span3, the senate banking committee holds a hearing on the effectiveness of sanctions against north korea. officials with the pressurery and state departments will testify about sanctions and diplomatic actions as the u.s. and its allies seek to deter north korea's nuclear weapons and ballistic mills programs. that getsin' way at 9:30 a.m. eastern live here on c-span3.
tomorrow, we're live in richmond, virginia for the next stop on the c-span bus 50 states capital tour. former virginia governor doug wilder is our guest on the bus during "washington journal" at 7:30 a.m. eastern. join us as he takes calls and questions about current events and state issues. and join us tomorrow for the entire "washington journal," starting at 7:00 a.m. eastern on c-span. this weekend on american history tv on c-span3, saturday at 8:00 p.m. eastern on lectures in history, university of virginia professor gary gallagher on the legacy of the civil war. >> the loyal white citizenry and african americans and former confederates had very different takes on the war as they went forward after appomattox. they embraced versions of the war that suited their purposes.
>> and sunday at 10:00 a.m., president bill clinton marking the 60th anniversary of the integration of little rock central high school. >> well, i wanted to say you did 60 years. take a victory lap. put on your dancing shoes. have a good time. but instead i have to say you got to put on your marching boots. and lead us again. then at 7:00 p.m. eastern, on "oral histories," we continue our series on photojournalists with an interview with darryl heikes. >> you always try to be any place, we did when we were working, especially the white house, to have the optimum lens in your hand and the maximum amount of film whenever something happens. because somebody in just a split second, iul